Serious vulnerability in SolarWinds tool Orion is actively exploited

The American cybersecurity center CISA is warning users of SolarWinds network tools of a serious vulnerability. In addition to the CISA, private security companies also see that companies are actively attacked via this leak.

The warning comes from the US Cyber ​​Security and Infrastructure Security Agency or CISA. That has released an emergency directive around the Orion Network Management Tools. SolarWinds has also released its own statement warning of the vulnerability. This specifically concerns versions 2019.4 HF 5 up to and including 2020.2.1 of the Orion software. Those are versions that were released between March and June of this year.

The Orion software can be exploited to spread malware in networks. Orion is software to manage network access and is mainly used by companies with large network infrastructures. Security company FireEye has analyzed the attacks. That company itself was recently hit by a large-scale hack, with the hackers entering that way too. FireEye says the hackers are unobtrusive; they use relatively little malware to move around the network and go to great lengths to go unnoticed once they have entered somewhere. According to FireEye, the hackers have to perform a lot of manual actions during attacks and little is done automatically. It is not clear whether the attackers’ ultimate goal is espionage or whether they want to spread more destructive malware such as ransomware, for example.

The vulnerability is specifically in the SolarWinds.Orion.Core.BusinessLayer.dll certificate component. This makes it possible to set up an unencrypted connection to external servers. According to FireEye, this can be used to steal or execute files, but also to change system settings or to disable systems. The company says malware on the system masquerades as legitimate network traffic and first detects if antivirus software is present.

The vulnerability was recently exposed to security researchers after several US departments and government agencies were hit by a hack. Attackers managed to break into the Ministries of Finance and Trade, among others. FireEye says in its report that not only have governments been affected, but the hackers have also attacked many companies. They would already have been infected in the spring of this year. FireEye is now warning those companies.

Both FireEye and the US government do not explicitly say who is behind the attacks. Sources say to Reuters that it concerns Russian state hackers. According to the Washington Post, it would be APT29, a group linked to the Russian foreign intelligence service. In a post on Facebook, the Russian embassy denies the allegations.

SolarWinds says customers should update the software to the latest version as soon as possible. Version 2020.2.1 HF 1 would no longer contain the vulnerability that is being exploited. On Tuesday, the company will release an extra patch, 2020.2.1 HF 2, with which additional security measures have been implemented and the vulnerable components are replaced. FireEye itself has published a free detection toolkit.